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Corporate Responsibility 


Status report on data privacy 


In the following, Deutsche Telekom provides information on processes 
relevant to data privacy and the measures it has taken to counteract them. 


With introduction oft the General Data Protection Regulation (GDPR) in May 2018, the 
threshold for reporting a data breach has been lowered. Low-risk incidents must now be 
reported to the authorities aswell. This also includes e.g. incorrectly sent emails and 
invoices. 


In the following only significant cases of data breaches from the last years will be listed. 


The [®J document "Reporting of Data Breaches" (pdf, 729.1 KB) explains what a data privacy 
incident can be and how the internal reporting process works. 


Data breaches 


OTE and Cosmote were fined a total of €9.25 million by the Greek data protection 
authority. This was triggered by a hacker attack in September 2020 and a 
corresponding investigation by the supervisory authority. The investigations identified, 
among other things, the breach of the security of the processing and the insufficient 
implementation of the data protection impact assessment and the information 
requirements. After the vulnerability became known, appropriate protective measures 
were taken immediately to prevent a recurrence. 


The Slovakian data protection authority imposed a fine totaling EUR 40,000 on Slovak 
Telekom. This was triggered, among other things, by the violation of principles and 
lawfulness for processing personal data and the insufficient implementation of the 
obligation to inform the data subjects before processing this data. This led to the 
unauthorized use of data of employees of an internal project of the two companies 
Slovak Telekom and T-Mobile Czech Republic. After the vulnerability became known, 
measures were taken immediately to prevent a recurrence. 
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Telekom Romania was fined by the Romanian Data Protection Authority (DPA) with a 
total of 15.000 € for failing to implement adequate security measures to ensure the 
security of personal data processing. This led to the unauthorized disclosure of the data 
of 99,210 customers, including their customer number, gender and telephone number, 
as well as unauthorized access to the personal data stored in the accounts of 413 
customers. Mitigation measures have been introduced by Telekom Romania. 


A programming error occurred during an online-booking process for the “MagentaEins” 
option at Telekom Deutschland GmbH (TDG): Contrary to the instructions of TDG, the 
implementing service provider designed the booking process in such a way that the 
customer could not book the tariff without submitting an advertising consent. 


The error was corrected as soon as it became known and the unlawfully generated 
consents were deleted from the systems immediately. 


For the future it will be checked in an eye-to-eye dialogue and including protocols, 
whether the service provider follows the instructions of TDG during the 
implementation. 


After this incident became known it was promptly reported to the authorities. 


In the course of a “StreamOn” product campaign, Telekom Deutschland GmbH sent 
advertising SMS also to customers who had not given Telekom Deutschland GmbH a 
corresponding advertising consent. A total of around 650,000 customers were 
affected. The faulty dispatch is due to a technical error in the processing system. After 
detection of the error, new test routines were immediately established during the 
campaign to rule out a repetition of this situation. Already the second dispatch wave 
could be corrected accordingly, so that no more faulty dispatch took place. We are 
already in contact with the responsible supervisory authority (BfDI). 


As a result of an operational error, access data to a system at T-Systems appeared ona 
public developer platform. An unknown person thus gained access to a so-called ticket 
system and copied e-mail addresses and telephone numbers of internal developers as 
well as of about 40 users. The ticket system is used by developers to process error 
messages (tickets) as part of a T-Systems cloud service. 


Our technicians closed the compromised interface as soon as it was discovered. 
According to ongoing analyses, service tickets were copied, in some cases also 
mentioning the email addresses and phone numbers of users who had reported errors. 
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In the meantime, the unknown attacker has been identified. Further research has 
shown that the data copied by the attacker was not passed on. All copied data could be 
deleted effectively. 


Customer systems themselves were not affected. 


T-Systems has contacted the relevant data protection authorities. Affected users will 
be informed immediately. 


In the Telekom Shop Schwentinental, a customer had data from her old device 
transferred to another device. This data transfer took place via a USB stick, which was 
handed out to the customer. The customer noticed that the USB stick contained data of 
other persons in addition to her own data. According to the press release, these data 
included private photos, names and telephone numbers of seven other persons. 


Data privacy is our top priority. We are currently reviewing the process and are in 
contact with the responsible supervisory authority (BfDI). The defined process provides 
that data transfers requested by the customer from one device to another are carried 
out via new, unused USB sticks which the customer buys. This prevents data from third 
parties from being stored on the stick. We are currently investigating why this standard 
process was deviated from in the Telekom Shop Schwentinental. 


Due to a fault in the billing process, 4,600 customer invoices have been sent 
incorrectly in mid-May 2017. The customers in question have been informed and the 
problem has been fixed. 


The T-Systems subsidiary MMS has transferred 2.300 customers of the Cloud manager 
service to the latest system version. In one case there was a technical error: due to a 
delay in the migration process of the customers inbox, and a temporarily technical error 
occurring at the same time, the customer was able to access said inbox. Since the 
access rights of the inbox were not fully implemented at this point, the customer was 
able to get extended read only rights. With that he was able to access additional data 
from other customers from the server. This included phone number, email addresses 
and in some cases, physical addresses. Sensible data such as passwords or account 
data was not stored at the affected server. Deutsche Telekom to immediate action to 
avoid this technical error in the future and contacted the affected customers as well as 
the supervisory authorities. Telekom also contacted the initial customer to ensure that 
all data that was transferred by the wrongful access of the other customers data was 
deleted. 
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A member of the German Bundestag had terminated his contract with Deutsche 
Telekom in October 2016 and had asked to ship the final bill to a new address. Before 
that the bill was sent to a centralized P.O. box of the Bundestag. This P.O. Box was also 
the address of other members of the parliament. By switching the address for the final 
bill, all other addresses with the same P.O. box reference were changed to the new 
address of the customer. The mistake was corrected, about 55 cases where this 
happened were reported. The bills contain information about the chosen contract, 
invoice amount and other services connected to the contract (e.g. fixed line or mobile 
contracts, rented devices) and the address. Itemized billing was not part of this bill. The 
affected customers were informed. 


Telekom offers an opt-out for the anonymized processing of data via Motionlogic 
GmbH by transmitting certain information (age group, sex, zip code). End of September 
2016 we were informed by a customer that besides a secure side for the opt-out (https) 
there was also an unprotected side active. Telekom has put down the side immediately. 
The side is used by customers to give their name and mobile phone number to receive 
a code to disable the anonymized processing. 


A technical fault on May 20, 2016, led to a malfunction in the group chat function of 
RCS/Messaget. As a result, new participants were automatically incorporated into 
existing chat groups without an invitation, and could not be removed from these 
groups. Deutsche Telekom deactivated the chat function in RCS/Message+ as soon as 
it became aware of the fault, and is working on resolving the fault. The supervisory 
authority was notified and Deutsche Telekom is working on identifying the customers 
affected and informing them of the situation. 


In April 2016 Telekom customers were informed in writing about the increase in data 
volume for MagentaMobil rate plans. Due to a manual processing error about 50 
customers received a personalized letter which did not match the personalized 
envelope. This way recipients received information about the name and mobile phone 
number of another customer. Deutsche Telekom informed the customers affected and 
the supervisory authorities of the processing error. 


= The"Kundencenter" customer center app lets Telekom customers manage their 
mobile and fixed-network lines on their smartphones. On March 29, 2016, on 
installation of the newest app version for iOS devices (version 5.3.6) in the app store, 
we became aware of cases in which incorrect data was displayed to users. As far as 
we are aware, the data that was displayed was for a single individual. Telekom is 
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working on eliminating this error and has therefore deactivated the app and 
removed it from the app store. Owners of Android devices can continue to use the 
"Kundencenter" app as normal. The same applies to users of previous versions of 
the iOS "Kundencenter" app (5.3.5 or earlier). We apologize for the inconvenience 
and will provide a new, error-free version of the app as quickly as possible. Until 
then, Deutsche Telekom asks its customers to use the customer center on its 
website, at www.telekom.de/kundencenter. 


= Between 24th and 31st March 2016 there was a technical malfunction affection 
services and platforms that use the so called Telekom Login service. Customers that 
registered with a non T-Online mail address were in few cases able to access data of 
other customers. Telekom temporarily disabled the affected logins and set up a 
hotline for customers to report any irregularities (hotline was closed on 30th June 
2016, according to plan). The supervisory authorities were informed. 


= Acheck carried out on a call center partner revealed in December 2015 that, among 
other things, the partner was employing a subcontractor that had not been 
approved and was passing customer data onto this company. This is a huge violation 
of the agreement on commissioned data processing. Telekom has therefore 
terminated the contract with the call center without notice. 


= In March 2015, the "Data privacy and information protection" training course was 
launched for all staff in the Deutsche Telekom Group. The online course informs 
participants on what the law allows and what needs to be strictly complied with. It is 
updated every two years and is mandatory for all employees in Germany. One of its 
focuses is the Binding Corporate Rules Privacy, the Group's most important internal 
data protection policy. It also provides useful tips on the correct way of handling 
sensitive information and documents. The training course guarantees consistent 
global data protection standards when processing customer and employee data 
within the Deutsche Telekom Group. 


= Due toa technical fault at the online customer center in charge of incidents, a single 
customer gained unauthorized access to another customer's data at the beginning 
of February 2014. That individual had access to information such as the other 
customer's telephone number and fault details, however, had no access to sensitive 
data such as passwords and bank and payment details. Deutsche Telekom took 
action immediately, introducing technical measures to ensure that this or similar 
types of fault would not occur again in future. 


https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/news/status-report-on-data-privacy-356016 5/9 


6/13/22, 3:48 PM Status report on data privacy | Deutsche Telekom 


= In May 2014, due to a processing error, an e-mail was sent to the wrong customer 
address. An attachment to the e-mail contained reports on the cell phone contracts 
of another customer. Deutsche Telekom informed the affected customers of the 
incident and adjusted the processes used for sending reports. 


= Thanks to a tip-off from an employee, an error was spotted in Deutsche Telekom's 
mobile communications portal in the assignment of contracts to online accounts 
(login accounts). This error meant that in certain circumstances, customers could 
potentially view the contract data of another customer. In order to ensure the 
exclusion of cases of unauthorized viewing, the affected parts of the online 
customer portal for mobile communications were taken offline for several hours on 
April 25, 2014 and only reactivated once the error had been reliably eliminated. 


= Inthe Internet sales portal for business customers, a technical error was discovered 
in a link thanks to a customer tip-off. This error could lead to a customer being 
shown the contractual documents of another business customer upon concluding a 
new customer contract. This affected among other things the account details of 
companies and personal data of company owners, such as date of birth and ID 
number. 


The error only occurred under certain circumstances and only for customers who 
called up their order confirmation by link and did not use the correct confirmation 
sent in parallel by e-mail. It is therefore impossible to determine how many 
customers were actually affected. As a precautionary measure, Deutsche Telekom is 
writing to all 2,107 potentially affected customers. Deutsche Telekom also informed 
the supervisory authorities. 


= False account information for a business customer administration portal: Deutsche 
Telekom has accidentally sent the wrong activation link to around 120 business 
customers in an e-mail during a system migration. The platform on which users 
manage Internet domains was therefore temporarily removed from the network as a 
precautionary measure until the problem was resolved. Deutsche Telekom informed 
the affected customers. 


Out of all these cases, only 28 users of the new administration portal have actually 
used the wrong activation link. The error was noticed within a few hours, after which 
the DT platform was temporarily disabled to prevent unauthorized use. No damage 
has occurred as a result, and the data error was identified and corrected promptly. 


The trigger for this was a system error in which e-mails were incorrectly assigned. 
Even before the migration, DT asked the portal users to save and verify their e-mail 
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addresses to make sure that only authorized users receive the activation e-mail. 
However, during the required transfer of e-mail addresses data was nonetheless 
exchanged through a system error when the data was being exported. 


While preparing for an IT system migration, it became apparent that the system in 
question contained personal employee data when it should only have contained 
anonymized data. The system was frozen and the works council immediately 
informed. Employees were informed on August 26, 2013. 


In June 2013, customer orders were found to have been attached to packages of 
hardware in a Telekom retail partner shop to reserve the hardware for customers. 
The error was immediately eliminated and partners were provided refresher training 
on data privacy. 


In mid-November 2012, human error resulted in the original versions of several 
customer orders and/or order confirmations being sent by a store-based sales 
partner to one individual customer. 


An SQL Create script was published on an Internet site with the internal contact 
data of Deutsche Telekom employees (name, department, unit and telephone 
number). The data were deleted immediately upon detection. 


At the beginning of May 2012, Deutsche Telekom found out that there was a security 
issue with one of their online applicant portals. An unknown attacker managed to 
exploit this security issue by downloading applicant documents such as CVs, 
references and letters from the corresponding application on the Internet. 


Once it had been discovered, the security issue was immediately resolved and the 
danger of losing further applicant data was ruled out. All types of similar 
applications are currently being examined. The state commissioner for data 
protection in North-Rhine Westphalia was informed and Deutsche Telekom has filed 
charges. Those affected have been notified. 


Due to a technical fault in the online customer center for the fixed network, an 
individual customer was able to gain unauthorized access to another customer's 
data at the beginning of February 2012. This customer had access to information 
such as the address, contact details and most recent phone bill of the other 
customer, including the itemized bill. Other sensitive data such as passwords and 
bank and payment details were not affected. Deutsche Telekom took action 
immediately, introducing technical measures to ensure that this kind of fault or 
similar faults do not occur again in future. The customer who accessed the data 
without authorization has received written instructions from Deutsche Telekom to 
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delete this information, which he or she is not entitled to access, and to provide the 
company with written confirmation that he or she has done so. 


An unauthorized party has accessed an ImmobilienScout24 server from outside the 
company. Access was gained to the address and contact information, customer 
numbers and names of both commercial and private vendors. The data itself is 
largely already available on the ImmobilienScout24 website as it is the standard 
information included in the contact field for real estate advertisements. Data has 
also been taken from contact forms, such as catalog requests or inquiries. No 
passwords, bank details or other financial data were taken. ImmobilienScout24, a 
subsidiary of Deutsche Telekom, blocked the access path immediately and has since 
restored the security of the server attacked. Vendors and users have been notified. 
The company has filed charges against an unknown party with the public 
prosecutor's office in Berlin. 


Technical tests have shown that the Speedport W723V WLAN router, which is 
currently sold by Deutsche Telekom, is not appropriately preconfigured to provide 
sufficient data privacy and protection. With some technical effort it is possible to 
detect the so-called WPA key, which would enable unauthorized access to a WLAN 
network. After receiving these results and those of other tests conducted by the 
Company, Deutsche Telekom published information for its customers on the 
websites telekom.com and telekom.de advising customers to change all the factory 
pre-configured WLAN passwords for all routers. At the same time, Deutsche 
Telekom is preparing customer information that will be included in new deliveries of 
those routers that could eventually be affected by a security breach. Deutsche 
Telekom also contacted the router manufacturer immediately to put a process in 
place that will again ensure that all routers preconfigured at the factory are 
absolutely secure. 


Between April 14, 2011 and May 10, 2011, six e-mail messages with documents from 
three customers, who are claiming damages against Telekom Deutschland GmbH in 
court, were sent to an incorrect e-mail address, due to human error. The e-mail 
attachments contained copies of the disputed bills, mobile phone contracts and 
account statements. The bills contained addresses, customer numbers and bank 
details. When the error was discovered, the Company immediately asked the 
incorrect recipient to delete any e-mail messages that were not intended for him 
personally. Deutsche Telekom notified the affected customers about the incident 
and contacted them to ask whether they would like a new customer number. 


In mid-August 2010, a memory stick with financial information about British 
subsidiaries of Deutsche Telekom was lost in transport on its way to Germany. The 
data on the stick is encrypted. No customer data is affected. 


https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/news/status-report-on-data-privacy-356016 


8/9 


6/13/22, 3:48 PM Status report on data privacy | Deutsche Telekom 


© 2022 Deutsche Telekom AG 


https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/news/status-report-on-data-privacy-356016 9/9 


